On Thu, Mar 03, 2022 at 04:03:21PM +0000, Daniel P. Berrangé wrote: > When connecting to an NBD server with TLS and x509 credentials, > the client must validate the hostname it uses for the connection, > against that published in the server's certificate. If the client > is tunnelling its connection over some other channel, however, the > hostname it uses may not match the info reported in the server's > certificate. In such a case, the user needs to explicitly set an > override for the hostname to use for certificate validation. > > This is achieved by adding a 'tls-hostname' property to the NBD > block driver. > > Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> > --- > block/nbd.c | 18 +++++++++++++++--- > qapi/block-core.json | 3 +++ > 2 files changed, 18 insertions(+), 3 deletions(-) > > +++ b/qapi/block-core.json > @@ -4078,6 +4078,8 @@ > # > # @tls-creds: TLS credentials ID > # > +# @tls-hostname: TLS hostname override for certificate validation
Add the tag '(since 7.0)' (in the interest of soft freeze deadlines, I can do that as part of queuing through my NBD tree if nothing else major turns up in the series), and you can have: Reviewed-by: Eric Blake <ebl...@redhat.com> -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
